目次

2024.01.18 RailsでSSLエラー

エラー

OpenSSL::SSL::SSLError in RecruitsController#update
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

こちらも「unable to get local issuer certifi」になってしまう。

# openssl s_client -showcerts -host valid-isrgrootx1.letsencrypt.org -port 443
Verification error: unable to get local issuer certificate

対応

rubyが利用しているルート証明書のパス

ruby は、/usr/local/ssl/cert.pem を利用していました。

ssl_path.rb

require 'openssl'
p OpenSSL::X509::DEFAULT_CERT_FILE
ruby ssl_path.rb 
"/usr/local/ssl/cert.pem"

ワンライナーで実行する方法

ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"

しかし対象のパスにルート証明書が存在しない

# ll /usr/local/ssl/cert.pem
ls: cannot access '/usr/local/ssl/cert.pem': No such file or directory

これはリンクを張ってあげる

# ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem  /usr/local/ssl/cert.pem

# ll /usr/local/ssl/cert.pem
lrwxrwxrwx. 1 root root 49 Jan 18 15:13 /usr/local/ssl/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

なぜかルート証明書も更新できず。

# yum update ca-certificates
Last metadata expiration check: 0:29:05 ago on Thu Jan 18 14:57:01 2024.
Dependencies resolved.
=========================================================================================================================
 Package                      Architecture        Version                                      Repository           Size
=========================================================================================================================
Upgrading:
 ca-certificates              noarch              2023.2.60_v7.0.306-90.1.el9_2                baseos              835 k

Transaction Summary
=========================================================================================================================
Upgrade  1 Package

Total download size: 835 k
Is this ok [y/N]: y
Downloading Packages:
                                              [===                                     ] ---  B/s |   0  B     --:-- ETA
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Error downloading packages:
  Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.almalinux.org/mirrorlist/9/baseos [error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt]

これは下記で実行すると解決

# yum --setopt='sslverify=false' update ca-certificates